FTC fines maker of Path app $800,000 for privacy violations

The maker of the Path social networking app will pay a US$800,000 civil penalty to settle U.S. Federal Trade Commission charges that it illegally collected personal information from children without parental consent, the agency said Friday.

Path has also settled FTC charges that it collected personal information from users' mobile address books without their knowledge and consent, the FTC said. The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for 20 years, FTC Chairman Jon Leibowitz said during a press conference.

Sharing not specified

Path's social-networking service allows users to keep journals and share them with a network of up to 150 friends. Users can store and share photos, journal entries, their location, and the names of songs they are listening to.

The FTC, in its complaint, charged that the user interface in Path's iOS app was misleading and provided users no meaningful choice about the collection of their personal information. Path's version 2.0 provided users with three options for inviting friends, through their contacts, through Facebook or by inviting them to join Path by email or SMS. However, Path automatically collected and stored personal information from the user's mobile device address book even if the user had not selected the "find friends from your contacts" option, the FTC said.

For each contact in the user's mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter user names, and dates of birth, the FTC said.

Path's privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information, the FTC also alleged. Version 2.0 of the Path app for iOS automatically collected and stored personal information from the user's mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account, the agency said.

"This practice, we believe, was deceptive," Leibowitz said.

Needed parental consent

The agency also charged that Path, which collects birth date information during user registration, violated the U.S. Children's Online Privacy Protection Act by collecting personal information from approximately 3000 children under the age of 13 without first getting parents' consent.

Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and share photos, journal entries, their precise location, and the names of songs they were listening to. Path version 2.0 also collected personal information from a child's address book, including full names, addresses, phone numbers, email addresses, dates of birth, and other information, where available, the FTC said.

"There was a period of time where our system was not automatically rejecting people who indicated that they were under 13," Path said. "Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created."

Path said it hopes it can help other developers learn from its experience.

The FTC action should remind others "of the importance of making sure services are in full compliance with rules like COPPA," the company said. "From a developer's perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn't until we gave our account verification system a second look that we realized there was a problem."

The FTC announced the settlement with Path on the same day as the agency released recommendations for mobile privacy practices.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.